CISA Zero Trust Maturity Model

I like seeing these guidelines but I definitely have been thinking about this essay from a couple months back which I think accurately calls the current situation untenable. These are all good advice, but even most government agencies have nowhere near the budget to fully implement them.<p><a href="https:&#x2F;&#x2F;doublepulsar.com&#x2F;the-hard-truth-about-ransomware-we-arent-prepared-it-s-a-battle-with-new-rules-and-it-hasn-t-a93ad3030a54" rel="nofollow">https:&#x2F;&#x2F;doublepulsar.com&#x2F;the-hard-truth-about-ransomware-we-...</a><p>&gt; The truth is, while governments are pushing frameworks such as Zero Trust, the amount of orgs who successfully implement these are… not many. Many companies can barely afford to patch SharePoint, let alone patch the the tens of thousands of application vulnerabilities shown in a vulnerability management program, and really struggle with accurate asset lists. … &gt; My concern, for years, has been that ransomware gangs have not only closed the loop on monetization, they are also acquiring so much income they are becoming a bigger operational threat than some states. &gt; &gt; To give an example, one ransomware group receiving a $40m payment for attacking a cybersecurity insurance company gives the attackers more budget to launch cyberattack than most medium to large organizations have to defend against attacks in total. And that’s just one attack, from one group, that barely made the news radar of most people. &gt; &gt; The payment amounts are increasing, the frequency is increasing, the sophistication is increasing.

I perused the draft and was surprised by my jaded reaction: Great! More effort put into detailed cybersecurity strategies for the likes of OPM, T-Mobile, and Equifax to ignore.<p>We have thousands of pages of frameworks and NIST guides and the people in charge, especially in the private sector, are free to neglect or ignore them with impunity because apparently regulators don’t care and the market doesn’t care, so why should they?<p>It’s like we have these brilliant cryptographers working on technical advancements that I can barely grasp, and the people (management) in charge of putting their work to use can’t be bothered with basic patch management.<p>The whole landscape of practical cybersecurity feels very hopeless to me.

Zero Trust is such a terrible name. What they really mean is less trust in network location, static firewalls, and site-to-site VPNs, and much more trust in the cryptography behind TLS, identity systems, and how they interact with applications.

See also last month&#x27;s K8s hardening guidance.<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=28050750" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=28050750</a><p><a href="https:&#x2F;&#x2F;media.defense.gov&#x2F;2021&#x2F;Aug&#x2F;03&#x2F;2002820425&#x2F;-1&#x2F;-1&#x2F;1&#x2F;CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF" rel="nofollow">https:&#x2F;&#x2F;media.defense.gov&#x2F;2021&#x2F;Aug&#x2F;03&#x2F;2002820425&#x2F;-1&#x2F;-1&#x2F;1&#x2F;CTR...</a>

Regarding authentication, the &quot;optimal&quot; practice is described as:<p>&gt; Agency continuously validates identity, not just when access is initially granted.<p>How does this work practically without having terrible UX? MFA to login, then periodically poll for the presence of a hardware token and less frequently, prompt for password reauthentication?

Just in time before 2022. Great!